CVE-2023-5669 in Featured Image Caption Plugininfo

Summary

by MITRE • 11/07/2023

The Featured Image Caption plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode and post meta in all versions up to, and including, 0.8.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/11/2026

The Featured Image Caption plugin for WordPress represents a critical security vulnerability classified as CVE-2023-5669, which affects all versions up to and including 0.8.10. This vulnerability manifests as a stored cross-site scripting flaw that exploits the plugin's shortcode and post meta functionality, creating a persistent threat vector within WordPress environments. The vulnerability specifically targets the plugin's insufficient input sanitization and output escaping mechanisms, which fail to properly validate or escape user-supplied attributes before processing them. This weakness enables malicious actors to inject malicious scripts that persist in the database and execute whenever affected pages are accessed by unsuspecting users, making it particularly dangerous for content management systems where multiple users contribute content.

The technical flaw resides in the plugin's failure to implement proper security controls around user input handling, which directly correlates to CWE-79 - Improper Neutralization of Input During Web Page Generation. This weakness allows attackers to bypass standard security measures by embedding malicious payloads within the plugin's shortcode parameters or post meta fields. The vulnerability's exploitation requires only contributor-level permissions or higher, which significantly broadens the attack surface since many WordPress installations have multiple users with these elevated privileges. The stored nature of the vulnerability means that once injected, the malicious scripts remain persistent in the system until manually removed, creating a continuous threat that can affect any user who accesses pages containing the injected content. This type of vulnerability falls under the ATT&CK technique T1566.001 - Phishing: Spearphishing Attachment, as it enables attackers to create malicious content that can be delivered to users through legitimate content management workflows.

The operational impact of CVE-2023-5669 extends beyond simple script execution, as it provides attackers with potential access to user sessions, data exfiltration capabilities, and the ability to perform further attacks through compromised user accounts. The vulnerability can be leveraged to steal cookies, redirect users to malicious sites, or even establish persistent backdoors within the WordPress environment. Since the plugin operates within the WordPress ecosystem, successful exploitation could potentially lead to broader system compromise, especially if attackers can escalate privileges or use the injected scripts to target other components within the same installation. The vulnerability affects the integrity and confidentiality of the WordPress installation, as it allows unauthorized code execution in the context of authenticated users. Organizations running affected versions must consider the potential for data loss, unauthorized access to sensitive information, and the possibility of establishing persistent access to their content management systems.

Mitigation strategies for CVE-2023-5669 should prioritize immediate plugin updates to versions that address the stored XSS vulnerability, as this represents the most effective solution. Administrators should also implement proper access controls and user permission management to limit contributor-level access to trusted personnel only, reducing the attack surface for potential exploitation. Additional protective measures include implementing Content Security Policy headers, regular security audits of plugin installations, and monitoring for suspicious shortcode usage or meta field modifications. The vulnerability demonstrates the importance of input validation and output escaping as fundamental security practices, reinforcing the need for developers to follow secure coding guidelines and for organizations to maintain comprehensive security monitoring practices. Organizations should also consider implementing web application firewalls and intrusion detection systems to help identify and block malicious script injection attempts. Regular security assessments and vulnerability scanning should be conducted to identify similar weaknesses in other plugins or themes that may present similar risks to the WordPress environment.

Responsible

Wordfence

Reservation

10/19/2023

Disclosure

11/07/2023

Moderation

accepted

CPE

ready

EPSS

0.00604

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!